The Hacker News — Cyber Security, Hacking, Technology News

Update: Find working Exploits and Proof-of-Concepts at the bottom of this article.

Security researchers have discovered more than a decade-old vulnerability in several Unix-based operating systems — including Linux, OpenBSD, NetBSD, FreeBSD and Solaris — which can be exploited by attackers to escalate their privileges to root, potentially leading to a full system takeover.

Dubbed Stack Clash, the vulnerability (CVE-2017-1000364) has been discovered in the way memory was being allocated on the stack for user space binaries.

Exploiting Stack Clash Bug to Gain Root Access

The explanation is simple: Each program uses a special memory region called the stack, which is used to store short-term data. It expands and contracts automatically during the execution of any program, depending upon the needs of that program.

According to researchers at Qualys, who discovered and reported this bug, a malicious program can attempt to use more memory space than available on the stack, which could overflow the memory, causing it to collide or clash with nearby memory regions and overwrite their content.

Moreover, the Stack Clash exploit can also bypass the stack guard-page, a memory management protection introduced in 2010, after this issue was exploited in 2005 and 2010.

"Unfortunately, a stack guard-page of a few kilobytes is insufficient: if the stack-pointer 'jumps' over the guard-page—if it moves from the stack into another memory region without accessing the guard-page—then no page-fault exception is raised and the stack extends into the other memory region," an advisory published by Qualys read.

The Stack Clash vulnerability requires local access to the vulnerable system for exploitation, but researchers said it could be exploited remotely depending upon the applications.

For example, a malicious customer with low privilege account with a web hosting company, running vulnerable system, could exploit this vulnerability to gain control over other websites running on the same server, as well as remotely gain root access and execute malicious code directly.

Just yesterday, we reported that how a web hosting company fell victim to a similar attack used to infect Linux servers with a ransomware malware, causing the company to pay more than $1 Million in ransom to get back their files.

Attackers can also combine the Stack Clash bug with other critical vulnerabilities, like the Sudo vulnerability recently patched, and then run arbitrary code with the highest privileges, said Qualys researchers.

7 Proof-of-Concept Exploits

The researchers said they were able to develop seven exploits and seven proofs of concept (PoCs) for the Stack Clash vulnerability, which works on Linux, OpenBSD, NetBSD, FreeBSD and Solaris on 32-bit and 64-bit x86 processors.

However, the researchers have not yet published the exploits and proofs of concept, giving users and admins enough time to patch their systems before they go into the Stack Clash exploits public.

The PoCs follow four steps, which include 'Clashing' the stack with another memory region, running the stack pointer to the stack’s start, 'Jumping' over the stack guard-page and 'Smashing' the stack or the other memory regions.

Among distros and systems affected by Stack Clash include:

Sudo on Debian, Ubuntu, and CentOS

ld.so and most SUID-root binaries on Debian, Ubuntu, Fedora, and CentOS

Exim on Debian

rsh on Solaris 11 and so on

Red Hat Enterprise

The company also believes that other operating systems, including Microsoft's Windows, Apple's OS X/macOS and Google's Linux-based Android OS could also be vulnerable to Stack Clash, though it is yet to be confirmed.

Patch Available; Update Now

Many affected vendors have already issued security patches for the bug, so users and administrators are advised to install patches a soon as possible.

If security patches from your vendor are yet to be released, you can reboot your systems or can manually apply stack limits to local users' applications. Simply, set the hard RLIMIT STACK and RLIMIT_AS of local users and remote services to a low value.

It is also recommended to recompile all userland code (ld.so, libraries, binaries) with the –fstack-check feature. This would prevent the stack pointer from moving into another memory region without accessing the stack guard-page and would kill Stack Clash dead.

Exploits and Proof-of-Concepts Released!

Since Fedora and Slackware have published updates, and FreeBSD and NetBSD have issued patches, Qualys researchers have finally released exploits and POCs for the Stack Clash vulnerability.

It's not at all surprising that the Google Play Store is surrounded by a large number of malicious apps that has the ability to gain users' attention into falling victim for one, but this time, it is even worse than most people realize.

Researchers at Trend Micro have detected a family of malicious apps, dubbed 'Godless,' that has the capability of secretly rooting almost 90 percent of all Android phones.

Well, that's slightly terrifying.

The malicious apps are distributed via different methods and variety of app stores, including Google Play Store, which is usually considered as a safe option for downloading apps.

The malicious apps packed with Godless contain a collection of open-source or leaked Android rooting exploits that works on any device running Android 5.1 Lollipop or earlier.

90% Android Devices are Vulnerable to Godless Rooting Malware

Since Android ecosystem is so broken that around 90 percent of all Android devices are vulnerable to this malicious software. Godless apps have already been installed on more than 850,000 devices worldwide so far.

Rooting a device could expose a user to several security risks as it practically opens the door to unwanted access, hardware failure, data leaks and information theft, and so on if the developer has malicious intent.

Based on the source code they analyzed, Trend Micro researchers say that once an app with Godless malware is installed on a victim’s device, it uses a framework known as "android-rooting-tools" to gain root access to the victim's device.

From there, the malware will make sure the victim's screen is turned off before executing the malicious code.

Here's what a Godless-Packed App can do to your Device:

Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it gets an apps list to be installed on the rooted device and installs them without the users knowledge, and all of this can be done remotely as well.

"With root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices," Trend Micro says. "This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users."

The researchers say the malware has the ability to bypass security checks done Google Play store and other online app stores.

Although there are several apps in Google Play, including utility apps like flashlights, Wi-Fi apps, and popular game apps, that contain the malicious Godless code, Trend Micro had identified only one such Android app by name.

Dubbed Summer Flashlight, the malicious app had been installed from 1,000 to 5,000 times, and was recently removed from the Google Play store, but it's still listed in search engine caches for the time being.

Godless is the latest Android malware to use rooting exploits in order to gain a persistent foothold on victims' handsets. Based on the graphic, most victims are located in India, followed by Indonesia, and Thailand (9.47 percent). The US also has around 17,000 Godless downloads.

"Unknown developers with very little or no background information may be the source of these malicious apps," Trend Micro notes.

So, in order to avoid being a victim to one such app, Android users are advised to avoid using third-party app stores and always "review the developer" when downloading apps even from Google’s official store.

It is possibly one of the most frequently asked questions on the Internet.

Although it's not pretty simple to hack Android devices and gadgets, sometimes you just get lucky to find a backdoor access.

Thanks to Allwinner, a Chinese ARM system-on-a-chip maker, which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in backdoor.

Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets, ARM-based PCs, set-top boxes, and other electronic devices worldwide.

Simple Backdoor Exploit to Hack Android Devices

All you need to do to gain root access of an affected Android device is…

Send the text "rootmydevice" to any undocumented debugging process.

The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices, though the mainstream kernel source is unaffected.

The backdoor code is believed to have been left by mistake by the authors after completing the debugging process.

For exploiting this issue, any process running with any UID can be converted into root easily by simply using the following command:

echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug

The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM for tablets, but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs, Orange Pi, and other devices.

At the forum of the Armbian operating system, a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable "if combined with networked services that might allow access to /proc."

This security hole is currently present in every operating system image for A83T, H3 or H8 devices that rely on kernel 3.4, he added.

This blunder made by the company has been frustrating to many developers. Allwinner has also been less transparent about the backdoor code. David Manouchehri released the information about the backdoor through its own Github account (Pastebin) and then apparently deleted it.

A critical zero-day vulnerability has been discovered in all versions of Apple's OS X operating system that allows hackers to exploit the company’s newest protection feature and steal sensitive data from affected devices.

With the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac.

The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation.

However, SentinelOne security researcher Pedro Vilaça has uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without kernel exploit, impacting all versions to date.

Bypass SIP to Protect Malware

The zero-day vulnerability (CVE-2016-1757) is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes, according to the researcher.

The attacker then escalates the malware's privileges to bypass SIP, alter system files, and then stay on the infected system.

"The same exploit allows someone to escalate privileges and also to bypass system integrity," the researcher explains in a blog post. "In this way, the same OS X security feature designed to protect users from malware can be used to achieve malware persistency."

By default, System Integrity Protection or SIP protects these folders: /System, /usr, /bin, /sbin, along with applications that come pre-installed with OS X.

Easy-to-Exploit and Tough to Detect-&-Remove

According to Vilaça, the zero-day vulnerability is easy to exploit, and a simple spear-phishing or browser-based attack would be more than enough to compromise the target machine.

"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," Vilaça says. "This kind of exploit could typically be used in highly targeted or state-sponsored attacks."

The most worrisome part is that the infection is difficult to detect, and even if users ever discover it, it would be impossible for them to remove the infection, since SIP would work against them, preventing users from reaching or altering the malware-laced system file.

Although the zero-day vulnerability was discovered in early 2015 and was reported to Apple in January this year, the good news is that the bug doesn't seem to have been used in the wild.

Apple has patched the vulnerability, but only in updates for El Capitan 10.11.4, and iOS 9.3 that were released on 21st March.

Other versions do not appear to have a patch update for this specific vulnerability from Apple, meaning they are left vulnerable to this specific zero-day bug.

More than a Billion of Android devices are at risk of a severe vulnerability in Qualcomm Snapdragon chip that could be exploited by any malicious application to gain root access on the device.

Security experts at Trend Micro are warning Android users of some severe programming blunders in Qualcomm's kernel-level Snapdragon code that if exploited, can be used by attackers for gaining root access and taking full control of your device.

Gaining root access on a device is a matter of concern, as it grants attackers access to admin level capabilities, allowing them to turn your device against you to snap your pictures, and snoop on your personal data including accounts’ passwords, emails, messages and photos.

The company’s own website notes that Qualcomm Snapdragon SoCs (systems on a chip) power more than a Billion smart devices, including many Internet of Things (IoTs) as of today. Thus, the issue puts many people at risk of being attacked.

Although Google has pushed out updates after Trend Micro privately reported the issues that now prevents attackers from gaining root access with a specially crafted app, users will not be getting updates anytime soon.

"Given that many of these devices are either no longer being patched or never received any patches in the first place," said Trend engineer Wish Wu, "they would essentially be left in an insecure state without any patch forthcoming."

Unfortunately, what’s more concerning is the fact that the same vulnerable chips are used in a large number of IoT devices, which are no longer in line for security updates. This makes it possible for hackers to gain root access to these connected devices, which is more worrying.

"Smartphones aren't the only problem here," said Trend's Noah Gamer. "Qualcomm also sells their SoCs to vendors producing devices considered part of the Internet of Things, meaning these gadgets are just as at risk."

"If IoT is going to be as widespread as many experts predict, there needs to be some sort of system in place ensuring these devices are safe for public use. Security updates are an absolute necessity these days, and users of these connected devices need to know what they're dealing with."

Whatever be the reason: if security patches are not available for your device model or take too long to arrive, in both the cases it gives miscreants time to exploit the security holes to gain control of your device.

However, some users are lucky to choose Google’s handsets that get their patches direct from the tech giant automatically, making them safe from the vulnerabilities. The handsets include Nexus 5X, Nexus 6P, Nexus 6, Nexus 5, Nexus 4, Nexus 7, Nexus 9, and Nexus 10.

All of the smart devices using the Qualcomm Snapdragon 800 series, including the 800, 805 and 810 and running a 3.10-version kernel are affected by the vulnerabilities.

The vulnerable code is present in Android version 4 to version 6. In the tests, researchers found Nexus 5, 6 and 6P, and Samsung Galaxy Note Edge using vulnerable versions of Qualy's code.

Though the researchers do not have access to every Android handset and tablet to test, the list of vulnerable devices is non-exhaustive.

Since the researchers have not disclosed full details about the flaws, the short brief about the vulnerabilities is as follows:

1. Qualcomm-related flaw (CVE-2016-0819): The vulnerability has been described by the researchers as a logic bug that allows a small section of kernel memory to be tampered with after it is freed, causing an information leakage and a Use After Free issue in Android.

2. The flaw (CVE-2016-0805) is in Qualcomm chipset kernel function get_krait_evtinfo: The get_krait_evtinfo function returns an index into an array used by other kernel functions. With the help of carefully crafted input data, it is possible to generate a malicious index, leading to a buffer overflow.

3. Gaining root access: Using both the flaws together on vulnerable devices, attackers can gain root access on the device.

The researchers will disclose the full details of exactly how to leverage the bugs at the upcoming Hack In The Box security conference in the Netherlands to be held in late May 2016.

Smartphones are always ready to connect to the Internet and contains sensitive information such as Contacts, SMS, Photos, and GPS information and this sensitive information is always in danger of leakage.

According to a report, Cyber criminals and state-sponsored hackers are developing 55,000 new malware variants, each and every day; and many of them try to elevate privileges for unfettered control of the user device.

North Carolina State University Researchers have developed a new software, called Practical Root Exploit Containment (PREC), with the sole purpose of detecting mobile malware that attempts to run Root exploits in Android devices. Root exploits take control of system administration functions of the operating system that gives the hacker an unrestricted control of user’s Smartphone.

That means, an application has not permission to read your messages or contacts or the GPS location, but after getting root access it will be able to steal any data from your device.

Anomaly Detection is one of the existing detection technique that compares the behavior of a downloaded Smartphone application, such as Google Chrome, with a database of how the application should be expected to behave. "When deviations from normal behavior are detected, PREC analyses them to determine if they are malware or harmless 'false positives.' "

PREC tool used the refined techniques of Anomaly Detection to prevent it from giving false positives, "Anomaly detection isn't new, and it has a problematic history of reporting a lot of false positives," said Dr Will Enck, co-author of the research paper.

PREC targets the code written in C language which is usually used by hackers to create malware and can identify calls made to native C code from a Java program.

The researchers tested a prototype of the tool on the Google Galaxy Nexus device against 150 Android apps, of which 10 contained root exploits. “We can achieve 100 percent detection rate and raised false alarms in one out of 140 popular apps tested,” he said.

Malware writers have developed techniques that hide malware until the application is installed on the Smartphone but thanks to Google, most apps in the Android Play store are pretty clean, but the best protection is common sense; Ensure you only Install Apps from Trusted Sources.